IMHO, one thing I would suggest is go to the Azure App Registration and target specific user(s)/group(s) you will allow access to PSU, then in the App Registration’s token configuration select to only include groups assigned to the application. This cuts down on token bloat, and is probably best from an OpSec perspective to not unnecessarily expose users’ group memberships.
That’s true, except that it kills your ability to use nested groups. In my case I have to use ‘Only groups assigned to application’ because we’re a fairly large organization with loads of groups. I’ll be working on transitioning to a 1:1 no-nesting format unless I figure out a different way to do it.
Yeah, you’re absolutely right. We do our best to avoid nesting groups (“one group, one purpose” mantra). Definitely recognize my suggestion doesn’t work in your setup.